US, International Intelligence Fight Against Encryption

Before 2013, encryption was mostly known in the mainstream community primarily due to its use in spy movies. That changed after whistleblower Edward Snowden revealed several of the National Security Agency's mass surveillance programs, and in the half-decade since, encryption went from something Tom Cruise had to overcome to save the world, to a major selling point for nearly every tech product. This shift has repeatedly frustrated government agencies, and the Five Eyes intelligence alliance is once again pushing back against the rise of encryption.

Five Eyes is a partnership between the United States, Canada, United Kingdom, Australia and New Zealand through which their respective intelligence agencies share information (the U.S. shares data with other countries, like Germany, but those relationships aren't as official as the one between these partner countries). The result is a massive surveillance network that encompasses most of the world and lets these countries assist each other with law enforcement investigations and matters of national security. Encryption makes this much harder.

That brings us to Five Eyes' latest call for encryption providers to offer ways for law enforcement and intelligence agencies to access user information. The alliance explained in the Statement of Principles on Access to Evidence and Encryption this week that the same encryption used to protect "personal, commercial and government information" is also used by "criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution." They effectively argue that defending the former group enables the latter.

This argument has been made countless times before (the mention of child sex offenders and terrorists during a debate about encryption might as well be free spaces on the conversational Bingo card). Perhaps the most notable example in the U.S. came during the investigation into the San Bernardino shooting of 2015, when the FBI tried to force Apple to break the encryption on an iPhone owned by one of the shooters. The company refused, saying complying with the request would set precedent and expose flaws in the iPhone's security that others could exploit.

There have been many other times when concerns about governments forcing tech companies to put backdoors in their products were piqued. The argument is often the same: privacy advocates say encryption is required to allow people to live their lives without invasive government scrutiny, and law enforcement agencies say that offering secure products hinders their investigations. Thus far the privacy advocates have won because it's simply impossible to guarantee a backdoor would only be used for lawful investigations; anyone could exploit the vulnerability.

But Five Eyes made the same appeal in its recent Statement. The alliance said:

"The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake. Otherwise, court decisions about legitimate access to data are increasingly rendered meaningless, threatening to undermine the systems of justice established in our democratic nations. ... Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions."

It's been all too easy over the last few months to forget that many of the security features tech companies introduced--and started advertising--in the wake of the Snowden revelations are constantly scrutinized by government agencies that want access to as much data as possible. But the Five Eyes statement appears to be another declaration in the ongoing "Crypto War," and that could mean an increase in government efforts to force tech companies to put backdoors in their products.

"The result is a massive surveillance network that encompasses most of the world and lets these countries assist each other with law enforcement investigations and matters of national security."

SPECTRE much?

mwryder55

They can't even protect their own computers from unlawful access and they want to make it even easier for others to get into our computers and our data? A lot of data has to be encrypted to give some protection to it. I don't think anyone wants their credit card data open to the world to make it easier for some overpaid government employee to go fishing for some justification for his job.

caustin582

Quote:

The alliance explained in the Statement of Principles on Access to Evidence and Encryption this week that the same encryption used to protect "personal, commercial and government information" is also used by "criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution." They effectively argue that defending the former group enables the latter.

Those latter groups also breathe oxygen. Maybe we should we get rid of that too?

koga73

Encryption is a privacy tool. Governments don't believe their citizens should have privacy. They aim to compromise the privacy provided by encryption in the name of stopping bad actors. There are numerous tools that can be used for good or bad, that doesn't mean the tool is inherently bad. Take security software for example, vulnerability scanners can be used by companies to identify vulnerabilities to patch, however they can also be used by hackers to identify vulnerabilities to exploit, does that mean we should ban vulnerability scanners? If governments want access to encrypted information then they should have to work for it and crack the encryption rather than asking for a backdoor or key escrow.

compprob237

Mass spying already violates the 4th amendment, at least for the US constitution, and they want to make it easier to violate the constitution? I have one word in mind for them: No. If it comes to it then the same saying used to defend the 2nd amendment applies: From my cold, dead hands. The government doesn't need more power and control over it's people. It needs less.

shrapnel_indie

In the same vein as compprob237's statements. Here is another one.. but first, of course the gov'ts involved won't back down on their encryption one iota.

Just like firearms, the bad guys won't care whether it's illegal to obtain, own, or use. They'll use it anyway. Meanwhile law abiding citizens/subjects/[insert your fav term for someone who has zero rights under their gov't] will suffer because of it.

Reality is the bad guys just make an excellent and handy excuse to strip the rest of us of rights that are supposed to be natural/inalienable or unalienable (at least in the eyes of the founding fathers of The United States.) Remember the Bill of Rights was put in place to restrict government from infringing on what was and are inalienable rights... or as they felt... God Given rights. (Yes. many were theists, not atheists or agnostics.)

caustin582

330834 said:

In the same vein as compprob237's statements. Here is another one.. but first, of course the gov'ts involved won't back down on their encryption one iota.
Do they really think the bad guys will say "Oh, it's illegal to encrypt now... oh well... I'll just click send anyway." or "Oh, it's illegal to encrypt now. we better stop being bad guys."
Just like firearms, the bad guys won't care whether it's illegal to obtain, own, or use. They'll use it anyway. Meanwhile law abiding citizens/subjects/[insert your fav term for someone who has zero rights under their gov't] will suffer because of it.
Reality is the bad guys just make an excellent and handy excuse to strip the rest of us of rights that are supposed to be natural/inalienable or unalienable (at least in the eyes of the founding fathers of The United States.) Remember the Bill of Rights was put in place to restrict government from infringing on what was and are inalienable rights... or as they felt... God Given rights. (Yes. many were theists, not atheists or agnostics.)

I don't think that's a good comparison. The authorities here aren't saying it should be illegal for individuals to use encryption, but rather that companies should implement back doors in their hardware and software that allow them to easily get past the encryption. If implemented on the hardware level, this would in fact have a profound effect on everyone's ability to encrypt their information, regardless of how much they care about obeying the law. The only way to get around it would be to build your own CPUs, which is obviously not an easy task.

mwryder55

300537 said:

330834 said:

In the same vein as compprob237's statements. Here is another one.. but first, of course the gov'ts involved won't back down on their encryption one iota.
Do they really think the bad guys will say "Oh, it's illegal to encrypt now... oh well... I'll just click send anyway." or "Oh, it's illegal to encrypt now. we better stop being bad guys."
Just like firearms, the bad guys won't care whether it's illegal to obtain, own, or use. They'll use it anyway. Meanwhile law abiding citizens/subjects/[insert your fav term for someone who has zero rights under their gov't] will suffer because of it.
Reality is the bad guys just make an excellent and handy excuse to strip the rest of us of rights that are supposed to be natural/inalienable or unalienable (at least in the eyes of the founding fathers of The United States.) Remember the Bill of Rights was put in place to restrict government from infringing on what was and are inalienable rights... or as they felt... God Given rights. (Yes. many were theists, not atheists or agnostics.)

I don't think that's a good comparison. The authorities here aren't saying it should be illegal for individuals to use encryption, but rather that companies should implement back doors in their hardware and software that allow them to easily get past the encryption. If implemented on the hardware level, this would in fact have a profound effect on everyone's ability to encrypt their information, regardless of how much they care about obeying the law. The only way to get around it would be to build your own CPUs, which is obviously not an easy task.

If the backdoor exists, whether known or not, they will be found and exploited. Would you want your credit card information on a server that is open to the world?The other thing to remember is that people have been encrypting messages for millenia without the use of computers. The use of a simple one-time pad is fairly simple and there is no backdoor to be exploited by someone trying to read your messages.

caustin582

644919 said:

If the backdoor exists, whether known or not, they will be found and exploited. Would you want your credit card information on a server that is open to the world?
The other thing to remember is that people have been encrypting messages for millenia without the use of computers. The use of a simple one-time pad is fairly simple and there is no backdoor to be exploited by someone trying to read your messages.

I don't think I implied in my post that I would want this to happen. I think it would be horrible. My point is just that convincing chip makers to implement backdoors or keyloggers would actually hamper everyone's ability to use computers to send and receive encrypted information. We'd all be screwed. The fact that the "bad guys" get screwed along with the "good guys" doesn't make it a good thing.

Sure you could avoid technology altogether by writing something on piece of paper and throwing it in the fire when you're done. Hell, you could just whisper into the other person's ear when no one's around. Obviously there are drawbacks in practicality when it comes to giving up computers entirely, though.

shrapnel_indie

300537 said:

330834 said:

In the same vein as compprob237's statements. Here is another one.. but first, of course the gov'ts involved won't back down on their encryption one iota.
Do they really think the bad guys will say "Oh, it's illegal to encrypt now... oh well... I'll just click send anyway." or "Oh, it's illegal to encrypt now. we better stop being bad guys."
Just like firearms, the bad guys won't care whether it's illegal to obtain, own, or use. They'll use it anyway. Meanwhile law abiding citizens/subjects/[insert your fav term for someone who has zero rights under their gov't] will suffer because of it.
Reality is the bad guys just make an excellent and handy excuse to strip the rest of us of rights that are supposed to be natural/inalienable or unalienable (at least in the eyes of the founding fathers of The United States.) Remember the Bill of Rights was put in place to restrict government from infringing on what was and are inalienable rights... or as they felt... God Given rights. (Yes. many were theists, not atheists or agnostics.)

I don't think that's a good comparison. The authorities here aren't saying it should be illegal for individuals to use encryption, but rather that companies should implement back doors in their hardware and software that allow them to easily get past the encryption. If implemented on the hardware level, this would in fact have a profound effect on everyone's ability to encrypt their information, regardless of how much they care about obeying the law. The only way to get around it would be to build your own CPUs, which is obviously not an easy task.

Maybe I did get a little carried away with the analogy... but I wouldn't doubt if they tried it, at least at this point in time, there would be outrage about it.... in the future, who knows...

Also if it was done on the hardware level.... with back doors, which means the encryption might as well not exist when it comes to corrupted/evil governments/corporations/people... There's nothing to stop someone from using old hardware to create the encrypted data and then send it on its way anyway. Do some research and you'll find cryptographic libraries for programming languages and encryption/decryption apps are plentiful right now. There's even laws, although not necessarily as strict as in the past, about what encryption strengths can and cannot be used and under what circumstances.

caustin582

330834 said:

Maybe I did get a little carried away with the analogy... but I wouldn't doubt if they tried it, at least at this point in time, there would be outrage about it.... in the future, who knows...
Also if it was done on the hardware level.... with back doors, which means the encryption might as well not exist when it comes to corrupted/evil governments/corporations/people... There's nothing to stop someone from using old hardware to create the encrypted data and then send it on its way anyway. Do some research and you'll find cryptographic libraries for programming languages and encryption/decryption apps are plentiful right now. There's even laws, although not necessarily as strict as in the past, about what encryption strengths can and cannot be used and under what circumstances.

Using old hardware would be a loophole, but also a major inconvenience. Hardware doesn't last forever, and safe devices would become increasingly scarce as time goes on. Also, just encrypting it on safe hardware wouldn't be enough--if the recipient decrypts the information on a compromised device then it could be exposed there too.

I'm well aware of how plentiful and available encryption software is. As a hobby I run a Freenet node on a VM within hidden encrypted partition, just as a sort of proof of concept for a completely "untouchable" system. Literally nothing any 3rd party could do to even prove that it exists, unless I want them to know that it does. That of course would all go out the window if it were running on a CPU with a backdoor that the government had access to.

Not sure what you mean when you say there are laws governing the levels of encryption that can be used. Government and financial organizations are required to encrypt sensitive data, but the way you worded that statement made it sound like you're saying there are laws restricting people from using encryption beyond a certain level. Some forms of strong encryption do require an export license if you're including them as a feature of your software that you're making available internationally (particularly to rogue/terrorist states), but there are no laws restricting individuals from encrypting their own data any way they choose.

Christopher1

Why would they be fighting against encryption? They should be fighting against criminals misusing encryption, not encryption itself.

shrapnel_indie

75395 said:

Why would they be fighting against encryption? They should be fighting against criminals misusing encryption, not encryption itself.

That's their excuse to fight it: getting the bad guys who use it by denying them its use or use of stronger encryption. Meanwhile the side effect is they get to pry into everyone else's business, which is their real goal. After all, they want any hint of sedition or dislike of a political figure from even the average guy who may just vent to be known.

mwryder55

75395 said:

Why would they be fighting against encryption? They should be fighting against criminals misusing encryption, not encryption itself.

Just like their battle against people using guns to commit crimes it is easier to say that the tool is the problem rather than the person "misusing" the tool. Rather than admit that they cannot do their job they distract everyone by saying that the use of encryption, or guns, is the problem, not them.

capkdk

The best way of putting it. If the people who want back doors for police access on the web. Should leave the back door of the house unlocked for the police to use if needed and hope a criminal never uses it. Open Back doors are dangerous on the web or in the physical word period.